A peep into Future Technology

Tag Archives: cross-site scripting

The latest version of Firefox(3.5) is here with so many features……namely User Experience, Performance, Security, Customization…..!!

Still there is so much Firefox is looking ahead to……..Here is the most significant one which is up the sleeve…..

The matter of concern is how websites can block code from unknown sources. Here, firefox wants to Unplug Scripting Attacks.

Sites that rely on user-created content can unwittingly be employed to attack their own users via JavaScript and other common forms of Web code. This security issue, known as cross-site scripting (XSS), can, for example, allow an attacker to access a victim’s account and steal personal data.

Now the makers of the Firefox Web browser plan to adopt a strategy to help block the attacks. The technology, called Content Security Policy (CSP), will let a website’s owner specify what Internet domains are allowed to host the scripts that run on its pages.

XSS attacks have caused numerous headaches, particularly for social networks and Web 2.0 companies, allowing attackers to hijack eBay auctions, for example, and create a worm that caused MySpace users to automatically befriend a user named “Samy.” The core problem is that many sites allow untrusted users to add their own content to pages while Web browsers treat all content returned by a website as coming from the same entity. If the website is trusted, the content created by an unknown user is trusted as well. The issue has been counted as one of the 25 most serious coding problems by the SANS Institute, a training organization for system administrators and programmers.

In many cases, Web companies can hunt down and restrict dangerous user-created content. But because many sites are so big, finding and fixing all vulnerabilities is a time-consuming and difficult task. Moreover, many sites, notably social-networking ones, want to allow their users some leeway to create interesting content.

Mozilla’s CSP will break with Web browsers’ tradition of treating all scripts the same way. Instead, it will require that participating websites put their scripts in separate files and explicitly state which domains are allowed to run the scripts.

An engineer at the Mozilla Foundation, Gervase Markham, championed the idea within the Firefox team and further developed the technology, and noted Web security researcher Jeremiah Grossman publicly called for adoption of the technique. Four years later, Mozilla has committed to implementing the technology.

The new Firefox security feature could help block another form of attack, known as clickjacking, which allows an attacker to trick a user into clicking an unsafe button–for example, initiating a bank transfer when she believes that she is sending an e-mail. However, clickjacking is a problem so pervasive that an opt-in model really doesn’t work, says Hansen.